yet another quick howto related to the howto
about securing owner keys.
This time: Secure your owner key and keep signing blocks for delegates TL;DR;:
- secure the owner key of your delegate
- continue signing blocks
- keep your votes in even if your VPS with the signing key is compromised
This is not a cold storage solution, but rather a howto for having just the one necessary key on the delegate machine which is NOT the owner key of the registered account name (to which votes/approvals are bound!)
I recommend EVERY delegate to consider this howto!Important Remark:
This tutorial will add a RANDOM key as a new delegate signing key. Hence this signing key cannot be regenerated or derived from the delegate's owner key.
The random key will be added to your wallet (into your delegates' account) and continue signing as usual.
It is REQUIRED that you let the delegate run for at least ONE round (better 2 or more .. say 60 minutes or so) with BOTH keys in the wallet.
The reason for this is the SECRET that has to be revealed using the 'old' signing key while signing the block with the new signing key.Howto:
1) make a backup of your wallet
(Optional) Extract your owner key for cold storage or what ever:
wallet_dump_account_private_key <delegatename> owner_key
2) Generate a new private key
Several tools exist to do so:
- one is located near the bitshares executable (if you compiled yourself) in
"programs/utils/" and is called bts_create_key
- In the bitshares-pytools repository (github.com/xeroc/) there is a tool called
genbtskey.py (in tools) that generates a new privkeypubkey
- you can also use bitshares-js as shown here
As a result we will get something like this
"public_key" : "BTS8RCDZ8aPRxJYVnK7KWmqnTjTPj4H8oY1KtzBcFqbzSp14AGpzh", <<--- pubkey
"wif_private_key" : "5Hwb7G481UsKnjPEb135iWHRGDvLWH5nW6QH4b5vcKS7gGFkdGx", <<-- privkey
"native_address" : "BTSe3YhhRrTfgkGmEECw7yxZvpaQkSToEgS", (not required here)
3) import the private key into your account:
wallet_import_private_key <wif-from-2)> <delegatename> false false
wallet_import_private_key 5Hwb7G481UsKnjPEb135iWHRGDvLWH5nW6QH4b5vcKS7gGFkdGx delegate.xeroc false false
4) Fund the delegate with 0.5 BTS to pay for the update transaction
5) Update the signing key
wallet_delegate_update_signing_key <delegatename> <delegatename> <pubkey-from-2)>
wallet_delegate_update_signing_key delegate.xeroc delegate.xeroc BTS8RCDZ8aPRxJYVnK7KWmqnTjTPj4H8oY1KtzBcFqbzSp14AGpzh
- the key from step 2) is now required by any machine of yours that has the
delegate running in eventually has to sign a block
- your delegate should continue signing blocks as usual as we imported the
required key in step 3)
- you can dump the signin key from that account again at any time by issuing:
wallet_dump_account_private_key <delegatename> active_key
If you want to setup a new wallet that contains only the signing key, the only
thing you have to do is import the privkey with
The client can figure out the delegates name automatically.
Make sure to between step 5) and moving over to a new wallet with the new key,
it has passed at least one round if delegates. I recommend to run the steps 1)
to 5) 24h before creating a new signing-key-only wallet.
The brave users can take a look at this script:
which is doing exactly the steps 1)-5)